Tools for Keeping up with a Flood of Security Patches

ATLANTA -- A few times a week now it seems that Microsoft Corp. is updating one server product or another with a patch for some security vulnerability.

It's not too hard to keep track if you're running one server, but keeping up in an enterprise with hundreds or thousands of potentially vulnerable machines serving dozens of functions can be time-consuming and worrisome.

Two tools vendors unveiled updates this week at Microsoft's TechEd 2001 show for helping companies stay on top of the situation companywide.

PatchLink Corp. will deliver PatchLink Update 3.0 in the third quarter. ConfigureSoft made version 3.6 of its Enterprise Configuration Manager product available immediately.

The software companies take different approaches. PatchLink 3.0 focuses narrowly on security patches, but it helps administrators deploy the patches and covers multiple platforms. ConfigureSoft supports just the Windows platform and alerts administrators about new patches affecting their environments, but it has a broader scope than security patches.

"An overwhelming majority of all security breaches can be prevented if software patches and updates are applied when they are first available," PatchLink CEO Sean Moshir says.

With PatchLink 3.0, server-side software performs a discovery across the network for what is installed. The results are consolidated in a report. Necessary patch updates that are prepared by PatchLink from operating system vendors security bulletins get deployed automatically.

PatchLink agents on the servers that run the native code of the operating system install the patches and can reboot the machine if necessary. The software supports Novell NetWare, Windows, Linux, IBM AIX, Sun Solaris and HP-UX.

ConfigureSoft also does discovery on Windows networks. While the company's 3.6 release includes Microsoft current security patches, the company focus includes the base configuration of the machines.

"I can say with absolute confidence that there is no such thing as a large-scale Microsoft enterprise that is secure that is not running ECM. It's not because people aren't disciplined or diligent, it's that they can't fix what they don't see," says ConfigureSoft CEO Alexander Goldstein.

"We allow you to see in an enterprise view where all your hotfixes are deployed and where they're not deployed," Goldstein says.

The tool also checks for configuration basics, like including a password in the administrator account. Templates allow an enterprise to make sure all servers of a certain class, i.e. IIS servers or SQL Servers, are configured the same. Administrators can run the tool periodically to make sure individual machines haven't strayed from the standard configuration.